This policy is effective 1 April 2022. View our current privacy policy at marshcommercial.co.uk/info/privacy/
Marsh Limited (trading as Marsh Commercial) is an affiliate of Marsh & McLennan Companies, Inc. (MMC). Marsh Commercial strives to protect the privacy and the confidentiality of Personal Data that the company processes in connection with the services it provides to clients and individuals’ use of the Marsh Commercial websites. Marsh Commercial’s services consist primarily of risk consulting and insurance broking, which enable the consideration of, access to, administration of, and making of claims on, insurance and consultancy, advice and support surrounding employee health and benefits and risk management.
To arrange insurance cover and handle insurance claims, Marsh Commercial and other participants in the insurance industry are required to use and share Personal Data. For an overview of how and why the insurance industry is required to use and share Personal Data please see the Insurance Market Core Uses Information Notice hosted on the website of a UK insurance industry association, the Lloyd’s Market Association (the LMA Notice). Marsh Commercial’s use of Personal Data is consistent with the LMA Notice.
During the insurance lifecycle Marsh Commercial will receive Personal Data relating to potential or actual policyholders, beneficiaries under a policy, their family members, claimants and other parties involved in a claim. Therefore references to “individuals” in this notice include any living person from the preceding list, whose Personal Data Marsh Commercial receives in connection with the services it provides under its engagements with its clients. This notice sets out Marsh Commercial’s uses of this Personal Data and the disclosures it makes to other insurance market participants and other third parties.
Marsh Limited of 1 Tower Place West, Tower Place, London EC3R 5BU is the controller in respect of the Personal Data it receives in connection with the services provided under the relevant engagement with its client.
We collect and process the following Personal Data:
Where we collect such information directly from individuals, we will inform them of whether the information is required and the consequences of not providing it on the relevant form.
We collect and receive Personal Data from various sources, including (depending on the service we are seeking to or are providing and the country you are in):
Individuals and their family members, online, face to face, or by telephone, or in written correspondence;
In this section, we set out the purposes for which we use Personal Data, explain how we share the information, and identify the “legal grounds” on which we rely to process the information.
These “legal grounds” are set out in the General Data Protection Regulation (the GDPR) and the UK Data Protection Act 2018, which allows companies to process Personal Data only when the processing is permitted by the specific “legal grounds” set out in the GDPR (the full description of each of the grounds can be found here).
Please note that in addition to the disclosures we have identified in the table, we will disclose Personal Data for the purposes we explain in this notice to service providers, contractors, advisers, agents and MMC group companies that perform activities on our behalf.
When we collect, use or disclose to third parties (such as insurers, intermediaries and reinsurers) Special Categories of Personal Data and Criminal Records Data for the reasons set out in the table above and for profiling as set out in the next section, we typically do so for reasons of substantial public interests, namely because it is necessary for the wide range of insurance-related activities that we undertake or because it is necessary for fraud prevention purposes. Where we collect, use or disclose Special Categories of Personal Data in the administration of a UK Government scheme to provide compensation to industries affected by the COVID-19 pandemic, we may do so for reasons of substantial public interests insofar as it is necessary for government purposes.
Before you provide us with Special Categories of Personal Data and Criminal Records Data about a person other than yourself, you agree to notify such person of our use of their Personal Data and, if requested by us, to obtain their consent to our use of their Special Categories of Personal Data and Criminal Records Data (for example, by requiring the individual to sign a consent form).
Insurance premiums are calculated by insurance market participants benchmarking clients’ and beneficiaries’ attributes as against other clients’ and beneficiaries’ attributes and propensities for insured events to occur. This benchmarking requires Marsh Commercial and other insurance market participants to analyse and compile information received from all insureds, beneficiaries or claimants to model such propensities. Accordingly, we may use Personal Data to both match against the information in the models and to create the models that determine the premium pricing in general and for other insureds. Marsh Commercial and other insurance market participants may use special categories of Personal Data and criminal records data for such modelling to the extent it is relevant, such as medical history for life insurance or past motor vehicle convictions for motor insurance.
Marsh Commercial and other insurance market participants use similar predictive techniques to assess information that clients and individuals provide to understand fraud patterns, the probability of future losses actually occurring in claims scenarios, and as set out below.
We use these models only for the purposes listed in this Privacy Notice. In most cases, our staff make decisions based on the models.
These partially automated processes may result in a client not being offered insurance or affect the price or terms of the insurance.
Clients may request that we provide information about the decision-making methodology and ask us to verify that the automated decision has been made correctly. We may reject the request, as permitted by applicable law, including when providing the information would result in a disclosure of a trade secret or would interfere with the prevention or detection of fraud or other crime. However, generally in these circumstances we will verify that the algorithm and source data are functioning as anticipated without error or bias.
We may use your Personal Data to provide you with information about products or services which we think would be of interest to you. We may also share your Personal Data with other companies in the MMC group so that they can provide you with information about their products and services. These may be sent by email or post or, in some circumstances, we may telephone you to explain this information to you.
Within the MMC group we operate under a number of brands and you may receive such communications from the following of our trading names:
BESA Business Insurance Services | Mercer |
Bishop Skinner Marine | Mercer Marsh Benefits |
Broker 2 Broker | National Craft Butchers Insurance Services (NCBIS) |
Craft Bakers Association Insurance Services | NICEIC and ELECSA Insurance Services |
Darwin Technologies Limited | NICEIC Insurance Services |
EHA Insurance Services | Northwood Insurance Services |
ELECSA Insurance Services | Oxygen |
FENSA Business Insurance Services | Oxygen Professional Risks |
HAE Insurance Services | ReAct Insurance |
HETAS Insurance Services | REC Insurance Services |
Making Music Insurance Services | REFCOM Business Insurance Services |
Marsh | SMEI |
Marsh Commercial | SME Insurance Services (‘smei’) |
Marsh Private Clients | McCarthy & Stone Insurance Services |
We take care to ensure that our marketing activities comply with all applicable legal requirements. In some cases, this may mean that we ask for your consent in advance us or our group companies of sending you marketing materials.
In all cases, you can opt out of receiving marketing communications, at any time. You can do this by clicking on the "unsubscribe" link in any marketing email or by contacting us using the details set out at the end of this Privacy Notice.
Please note that, even if you opt out of receiving marketing messages, we may still send you communications in connection with the services we provide to you.
We have in place physical, electronic, and procedural safeguards appropriate to the sensitivity of the information we maintain. These safeguards will vary depending on the sensitivity, format, location, amount, distribution and storage of the Personal Data, and include measures designed to keep Personal Data protected from unauthorised access.
If appropriate, the safeguards include the encryption of communications via Secure Sockets Layer, encryption of information during storage, firewalls, access controls, separation of duties, and similar security protocols. We restrict access to Personal Data to personnel and third parties that require access to such information for legitimate, relevant business purposes.
We collect, use, disclose and otherwise process Personal Data that is necessary for the purposes identified in this Privacy Notice or as permitted by law. If we require Personal Data for a purpose inconsistent with the purposes we identified in this Privacy Notice, we will notify clients of the new purpose and, where required, seek individuals’ consent (or ask other parties to do so on Marsh Commercial’s behalf) to process Personal Data for the new purposes.
Our retention periods for Personal Data are based on business needs and legal requirements. We retain Personal Data for as long as is necessary for the processing purpose(s) for which the information was collected, and any other permissible, related purpose. For example, we retain certain transaction details and correspondence until the time limit for claims arising from the transaction has expired, or to comply with regulatory requirements regarding the retention of such data. When Personal Data is no longer needed, we either de-identify or aggregate the data (in which case we may further retain and use the de-identified or aggregated information for analytics purposes) or securely destroy the data.
Marsh Commercial transfers Personal Data to, or permits access to Personal Data from, countries outside the UK and European Economic Area (EEA). These countries’ data protection laws do not always offer the same level of protection for Personal Data as offered in the UK and EEA. We will, in all circumstances, safeguard Personal Data as set out in this Privacy Notice.
Certain countries outside the EEA have been approved by the European Commission as providing essentially equivalent protections as EEA data protection laws. EU data protection laws allow Marsh Commercial to freely transfer Personal Data to such countries.
If we transfer Personal Data to other countries outside the EEA, we will establish legal grounds justifying such transfer, such as MMC Binding Corporate Rules, model contractual clauses, individuals’ consent, or other legal grounds permitted by applicable legal requirements.
Individuals can request additional information about the specific safeguards applied to the export of their Personal Data.
We strive to maintain Personal Data that is accurate, complete and current. Individuals should contact us at dataprotection@marsh.com to update their information. Questions regarding Marsh Commercial’s privacy practices should be directed to the Data Protection Officer using the contact details in the Questions, Requests or Complaints section below.
Under certain conditions, individuals have the right to request that Marsh Commercial:
In addition, under certain conditions, individuals have the right to:
These rights are subject to certain exemptions to safeguard the public interest (e.g. the prevention or detection of crime) and our interests (e.g. the maintenance of legal privilege). We will respond to most requests within 30 days.
If we are unable to resolve an enquiry or a complaint, individuals have the right to contact the UK data protection regulator, the Information Commissioner’s Office (ICO). The ICO can be contacted by telephone at 0303 123 1113 or by email at casework@ico.org.uk.
To submit questions or requests regarding this Privacy Notice or Marsh Commercial’s privacy practices, please complete the form here. You will need to provide your email address when you make your request via this form.
If you would prefer to contact us by post or by phone, please contact the Data Protection Officer using the following contact details:
The Data Protection Officer
Marsh Commercial
1 Tower Place West
Tower Place
London
EC3R 5BU
Phone: 020 7357 1000
Email: dataprotection@marsh.com
If we are unable to resolve an enquiry or a complaint, individuals have the right to contact the UK data protection regulator, the Information Commissioner's Office (ICO).
The ICO can be contacted by telephone at 0303 123 1113 or by email at casework@ico.org.uk.
Our websites may contain links to other third party websites. If you follow a link to any of those third party websites, please note that they have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. Please check these policies before you submit any personal information to such third party websites.
This Privacy Notice is subject to change at any time. It was last changed on 14 January 2022. If we make changes to this Privacy Notice, we will update the date on which it was last changed. Where we have an engagement with you, we will notify you of any changes we make to this Privacy Notice in accordance with the notice provisions in the terms of our engagement. In other circumstances, we will publish the revised Privacy Notice on our website.
Download our purpose of processing document.